CPPA Issues Draft CPRA Regulations on Risk Assessment and Cybersecurity Audit

8 months ago AndyC

Listen to this post

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) Board issued draft regulations on

CPPA Issues Draft CPRA Regulations on Risk Assessment and Cybersecurity Audit
Listen to this post

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) Board issued draft regulations on Risk Assessment and Cybersecurity Audit (the “Draft Regulations”). The CPPA Board will discuss the Draft Regulations during a public meeting on September 8, 2023.

In issuing the Draft Regulations, the CPPA Board makes clear that it has not yet started the formal rulemaking process for cybersecurity audits, risk assessments or automated decision-making technology, and that these Draft Regulations are intended to facilitate Board and public discussion and are subject to further changes. Nevertheless, the Draft Regulations provide insights into the type of requirements companies may be expected to comply with in the future.

Key highlights of the Draft Regulations include:

Draft Risk Assessment Regulations

  • New definitions for “Artificial Intelligence” and “Automated Decision-Making Technology”;
  • Examples of processing activities that present significant risk to consumers’ privacy and warrant a risk assessment;
  • Illustrative examples of when a business must conduct a risk assessment;
  • Content requirements for risk assessments;
  • Additional requirements for businesses using automated decision-making technology or processing personal information to train artificial intelligence or automated decision-making technology; and
  • Requirements to submit risk assessments to the CPPA.

Draft Cybersecurity Audit Regulations

  • The categories of businesses required to complete cybersecurity audits;
  • Detailed requirements for conducting cybersecurity audits; and
  • Requirements to submit a notice of compliance to the CPPA, including either (1) a written certification that the business has complied with the regulatory requirements during the 12-month period that the audit covers, or (2) a written acknowledgement that the business did not fully comply with the regulatory requirements during the 12-month period the audit covers, identifying areas of noncompliance and providing a remediation timeline or confirmation that remediation has been completed.

Notably, the CPPA did not release draft regulations relating to automated decision-making, which is another topic the CPPA intends to regulate alongside risk assessments and cybersecurity audits.

The public meeting, which will feature a discussion of the Draft Regulations, will begin on September 8, 2023 at 9:00 a.m. PDT.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , ,

More Stories

UK ICO and Ofcom Joint Statement on Regulation of Online Services

UK ICO and Ofcom Joint Statement on Regulation of Online Services

1 week ago AndyC
HHS Extends Protections for Reproductive Privacy Under HIPAA

HHS Extends Protections for Reproductive Privacy Under HIPAA

1 week ago AndyC
Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application

Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application

1 week ago AndyC
CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

2 weeks ago AndyC
CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

2 weeks ago AndyC
New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

2 weeks ago AndyC

You may have missed

Graduation to Adulting: Navigating Identity Protection and Beyond!

Graduation to Adulting: Navigating Identity Protection and Beyond!

1 hour ago AndyC

How to Protect Your Internet-Connected Healthcare Devices

1 hour ago AndyC
Dell discloses data breach impacting millions of customers

Dell discloses data breach impacting millions of customers

1 hour ago AndyC
FBI Warns US Retailers That Cybercriminals Are Targeting Their Gift Card Systems

FBI Warns US Retailers That Cybercriminals Are Targeting Their Gift Card Systems

1 hour ago AndyC

How Criminals Are Using Generative AI

1 hour ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.